Easy Way to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL & CentOS 7

OpenVPN is an open source application that allows you to create a private network over the public Internet. OpenVPN tunnels your network connection securely trough the internet. This tutorial describes the steps to setup a OpenVPN Server and client on CentOS.

We are going to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL & CentOS 7. We’ll also discuss how to connect a client to the server on Windows, OS X, and Linux.

Note: The same instructions also works on RHEL/CentOS 6 and Fedora systems..

root access to the server (several steps cannot be completed with just sudo access)

Domain or subdomain that resolves to your server that you can use for the certificates

Before we start we’ll need to install the Extra Packages for Enterprise Linux (EPEL) repository. This is because OpenVPN isn’t available in the default CentOS repositories. The EPEL repository is an additional repository managed by the Fedora Project containing non-standard but popular packages.

Installing OpenVPN Server

To install OpenVPN in a RHEL/CentOS 7 server, you will first have to enable the EPEL repository and then install the package, along with easy-rsa – a small RSA key management package used primarily for key management and also for building web certificates.

[myinlink sub=”How To Jailbreak iOS 9.3.3 On Windows Or Mac Using Pangu And Cydia Impactor [English]” link=”http://devsgeek.us/jailbreak-ios-9-3-3-windows-mac-using-pangu-cydia-impactor-english/”]Jailbreak iOS 9.3.3 On Windows Or Mac Using Pangu And Cydia Impactor[/myinlink]

1

2

# yum update &amp;&amp; yum install epel-release

# yum install openvpn easy-rsa

When the installation completes, head over to the sample configuration files directory:

1

# cd /usr/share/doc/openvpn-*/sample/sample-config-files/

and copy the server.conf file to /etc/openvpn:

1

# cp server.conf /etc/openvpn

Now we’re ready to start configuring the server.

Generate Keys and Certificates

The easy-rsa package provides several scripts as utilities, located inside /usr/share/easy-rsa/2.0 after installation, to generate keys and certificates. For our convenience, we are going to copy those files into/etc/openvpn/rsa (you need to create this directory first). Enter y if prompted to overwrite the existing files:

1

2

# mkdir /etc/openvpn/rsa

# cp –rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa

Next, we will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs (fields are self-explanatory):

Configuring OpenVPN

OpenVPN has example configuration files in its documentation directory. We’re going to copy the sampleserver.conf file as a starting point for our own configuration file.

We need to uncomment the push "redirect-gateway def1 bypass-dhcp" line, which tells the client to redirect all traffic through our OpenVPN.

1

2

push"redirect-gateway def1 bypass-dhcp"

Next we need to provide DNS servers to the client, as it will not be able to use the default DNS servers provided by your Internet service provider. We’re going to use Google’s public DNS servers, 8.8.8.8 and8.8.4.4.

Do this by uncommenting the push "dhcp-option DNS lines and updating the IP addresses.

1

2

3

push"dhcp-option DNS <span class="highlight">8.8.8.8</span>"

push"dhcp-option DNS <span class="highlight">8.8.4.4</span>"

We want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of nobody. To enable this you’ll need to uncomment these lines:

1

2

3

user nobody

group nobody

Save and exit the OpenVPN server configuration file.

Generating Keys and Certificates

Now that the server is configured we’ll need to generate our keys and certificates. Easy RSA installs some scripts to generate these keys and certificates.

Configuring the OpenVPN Server

1. Specify the length of the Diffie-Hellman parameters. Don’t use a value below 2048 if you don’t want to expose yourself to security threats:

1

dh/etc/openvpn/rsa/keys/dh2048.pem

2. All IP traffic (such as web browsing and and DNS lookups) should go through the VPN. Make sure the following line is uncommented:

1

push"redirect-gateway def1 bypass-dhcp"

3. As a consequence of #2, you need to specify at least two DNS servers that will be used to resolve names. The default ones are provided by opendns.org and you can either use them or Google’s (8.8.8.8 and 8.8.4.4):

1

2

push"dhcp-option DNS 208.67.222.222"

push"dhcp-option DNS 208.67.220.220"

4. Finally, as a security measure, we will ensure that openvpn runs with the least privilege by changing the user and the group to nobody:

1

2

user nobody

group nobody

We also need to allow vpn traffic through the firewalld and enable masquerading:

1

2

3

4

# firewall-cmd --permanent --add-service=openvpn

# firewall-cmd --add-service=openvpn

# firewall-cmd --permanent --add-masquerade

# firewall-cmd --add-masquerade

And copy the certificate and key files to /etc/openvpn (the following command assumes your current working directory is /etc/openvpn/rsa/keys):

1

# cp ca.crt server.crt server.key /../..

Then enable the service:

1

2

# systemctl -f enable openvpn@server

# systemctl start openvpn@server

At this point it’s a good idea to check the status of the service.

1

# systemctl -l status openvpn@server

If it failed to start,

1

# journalctl --xn

will provide necessary debug information to troubleshoot any issues.

Disable firewalld and SELinux

Step 1 – Disable firewalld

1

2

systemctl mask firewalld

systemctl stop firewalld

Step 2 – Disable SELinux

1

2

3

vim/etc/sysconfig/selinux

Andchange SELINUX todisabled:

<span class="system">SELINUX=disabled</span>

Then reboot the server to apply the change.

Configure Routing and Iptables

[myinlink sub=”How to install Arch Linux on a VM VirtualBox” link=”http://devsgeek.us/install-arch-linux-vm-virtualbox/”]How to install Arch Linux on a VM VirtualBox[/myinlink]

Conclusion For How to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL & CentOS 7

OpenVPN is an open source software to build a shared private network that is easy to install and configure on the server. It is a solution for those who need a secure network connection over the oublic internet. Congratulations! You should now have a fully operational virtual private network running on your OpenVPN server.